Advanced Hunting: Surfacing more email data from Microsoft Defender for Office 365
As part of this update, we have added new columns that enable more relevant and effective investigations. These additions to the EmailEvents, EmailAttachmentInfo, and EmailPostDeliveryEvents tables are currently available in public preview.
We've made the following updates to these tables:
- AuthenticationDetails (EmailEvents table) – This column includes detailed information about the different authentication checks that have been applied or analyzed like SPF, DKIM, DMARC, and CompAuth methods. While SPF, DKIM, and DMARC are the industry standard checks, composite authentication or compAuth is a value used to indicate that a combination of different email authentication checks, like SPF, DKIM, and DMARC, were used to determine if the message is authentic. It uses the domain in the From field of the email as basis for the evaluation.
Note: In some cases, a record will not show all the values in this column. This can occur if a partial check was needed to return a verdict for the email.
- Filesize (EmailAttachmentInfo table) – This column provides the size of an email attachment in bytes.
- ThreatTypes and details (EmailPostDeliveryEvents table) – Before the update, the EmailPostDeliveryEvents table already contained information about all actions attempted on an email after delivery, including ZAP and manual remediation actions. In addition to the action metadata, we've added details about threats and detection methods (when applicable) as separate columns within the table. This is useful for hunting scenarios involving delayed weaponization or updated verdicts. For these cases, look to join the events with the EmailEvents table to get a more comprehensive view.
Here are few examples which make use of these fields:
Read more about Advanced Hunting over here and learn about the schema for Email tables over here.
To start hunting using these enhancements, turn on public preview features for Microsoft 365 Defender. Leave a comment below for thoughts and questions, or use the feedback button in the portal.
Published on:
Learn more